Fortinet Blog | News and Threat Research

Mobile botnet Android/RootSmart (aka Bmaster) is making substantial amount of money from premium SMS numbers or services, according to Cathal Mullaney’s discovery of a mobile botnet front-end: yes, we had told you so.

Glance at Guillaume Lovet’s paper at Virus Bulletin back in 2006, where he explains the business behind mobile botnets. His illustration is exactly what Android/RootSmart (aka Bmaster) does:

Later, atSAR SSI in 2010, I re-insisted on the potential impact of such strategies:

It’s interesting to notice my estimate of 20,000 SMS turns out to be accurate… per day: Android/RootSmart shows between 10,000 and 30,000 active devices each day.

I had also told you several times about the dangers of SMS short codes or premium numbers (1, 2, 3, 4, 5). With over 50% of mobile malware families sending SMS messages, I believe Trojan dialers are our ennemy #1 - along with focused spyware like Zitmo and Spitmo. Technically speaking, too, I am not surprised mobile botmasters control their bots via Internet: it’s easy to monitor and C&C can be relocated if necessary. PoCs like Georgia Weidman’s where commands are sent via SMS do not seem very scalable to me (problems to send & process the SMS without raising suspiciousness). It looks like the architecture SymbOS/Yxes drafted 2.5 years ago wins: that’s exactly what Android/RootSmart re-uses (apart from the automated propagation step which is not included). So, really, we had warned you. But I don’t mind repeating myself: I am a mother ;)

By the way, if you are still listening: another warning for you. I foresee mobile botnets will try and spread via social networks. – the Crypto Girl